The AORDD Framework

cursefarmΔίκτυα και Επικοινωνίες

24 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

67 εμφανίσεις

1
Name, title of the presentation
Decision Support
for Choice of Security Solution:
The AORDD Framework
SivHilde Houmb
Department of Computer and Information Science, NTNU, Norway
Department of Computer and Information Science, NTNU, Norway
Service Platforms, Telenor R&I, Norway
Service Platforms, Telenor R&I, Norway
Information Systems, University of Twente, The Netherlands
Information Systems, University of Twente, The Netherlands
S.H.Houmb@utwente.nl
2
Outline
•Context and Motivation
•Problem space
•One possible solution
–The Aspect-Oriented Risk Driven Development (AORDD)
Framework
•Security Solution Trade-off Analysis
•Trade-off tool BBN topology
•Aggregate information as input to the trade-off tool
–Trust-Based Information Aggregation Schema (TBIAS)
3
Context and Motivation
4
What is the Problem?
•Balancingsystem stakeholders’goals, end-users’expectations
and contracted level (or expected level) of security is not straight
forward
–Conflictinggoals
–Insufficient information available (uncertainty) on the security risks posed
upon a system
–Insufficient information available (uncertainty) on the effect that the security
risks have on the system behaviour
–Insufficient information available (uncertainty) and therefore difficult to
estimate the likelihood, impact and cost of security risks (or actually the
misuse)
–Insufficient informationavailable (uncertainty) related to the actual effect of
various alternative security solutions and thus the security level of a future
system
–Cost, TTM and other project or organisational constraints
5
What is Needed?
•Methodology and tool-support that derive a situation where it is
clear which security solution is the better one
–For the particular security risk
–For the system as a whole
–For the end-users
–“Cost-effective”
–Easy to evolve
–Easy to maintain
•In other words…decision support for choice of security solution
6
Focus of This Work
RQ.1: How can alternative security solutions be evaluated against each
other to identify the most effective alternative?
RQ.2: How can security risk impact and the effect of security solutions be
measured?
RQ.3: Which development, project and financial perspectives are relevant
for an information system and how can these be represented in the
context of identifying the most effective security solution among
alternatives?
RQ.4: How can the disparate information involved in RQ1, RQ2 andRQ3
be combined such that the most effective security solution among
alternatives can be identified?
7
Main Contributions
C.1 A set of security risk variables used to measure the impact,frequency and
cost of potential undesired events, which in this work is calledmisuses.
C.2 A set of security solution variables used to measure the treatment effect
and cost of alternative security solutions.
C.3 A set of trade-off parameter variables to represent and measure relevant
development, project and financial perspectives.
C.4 Methodology and tool-support for comparing the security solution variables
with the security risk variables to identify how effective a security solution is
in protecting against the relevant undesired behaviour (misuse).
C.5: Methodology and tool-support for trading off security solutions and
identifying the best-fitted one based on security, development, project and
financial perspectives.
8
One Possible Solution:
The AORDD Framework
AORDD security solution
trade-off analysis
Security aspect repository
Estimation repository
RDD annotation rules
RDD information input rule set
Trust-based information
aggregation schema
AORDD Framework
AORDD Process
AORDD
s
e
c
urity

solution
trad
e
-
off an
aly
s
i
s
Secu
r
i
ty aspe
c
t
repos
ito
r
y
Es
tima
tion
repos
ito
r
y
RDD annot
ation
rul
e
s
RDD inf
o
rmat
ion i
nput rul
e

set
T
r
us
t
-
based in
fo
r
m
a
t
ion
aggregation
sche
m
a
9
Security Solution Trade-Off Analysis
Risk-driven
analysis
Trade-off
analysis
best “fitted”security solution
or set of security solutions
trade-off parameters
alternative security solutions
list of security risks in need of treatment
security risk acceptance criteria
Risk-driven
analysis
Trade-off
analysis
best “fitted”security solution
or set of security solutions
trade-off parameters
alternative security solutions
list of security risks in need of treatment
security risk acceptance criteria
10
Phase 2: Trade-Off Analysis
Trade-off parameters
Trade-Off
Analysis
Misuse impact
Misuse frequency
METM
MTTM
Risk level variables
Security solution variables
Security solution effect
Security solution cost
Security Solution
Fitness Score
Trade-off parameters
Trade-Off
Analysis
Budget
TTM
Security acceptance criteria
Priorities
Misuse impact
Misuse frequency
METM
MTTM
Risk level variables
Security solution variables
Security solution effect
Security solution cost
Security Solution
Fitness Score
Business goals
Standards
Business strategy
Law and regulation
Trade-off parameters
Trade-Off
Analysis
Misuse impact
Misuse frequency
METM
MTTM
Risk level variables
Security solution variables
Security solution effect
Security solution cost
Security Solution
Fitness Score
Trade-off parameters
Trade-Off
Analysis
Budget
TTM
Security acceptance criteria
Priorities
Misuse impact
Misuse frequency
METM
MTTM
Risk level variables
Security solution variables
Security solution effect
Security solution cost
Security Solution
Fitness Score
Business goals
Standards
Business strategy
Law and regulation
Security solution effect
Security solution cost
11
BBN Implementation
Trade-Off Tool BBN Topology
12
Bayesian Belief Networks (BBN)-
Reasoning under Uncertainty
•BBN is a powerful tool for reasoning under uncertainty
•In security solution decisions reasons for uncertainty are
–Incomplete understanding of a security risk or the behaviour of a
software system
–Incomplete understanding of the system (security) environment
–Incomplete knowledge of the impact of a security risk
–Incomplete knowledge of the system’s inherent vulnerabilities
–Inconsistent information on the behaviour of a system
–Inconsistent information of the effect that a security solution has on the
system behaviour
13
Trade-Off Tool BBN Topology
Level3
Level4
StaticSecurity
Level
“Current”
Security Level
Level1
Solution
TreatmentLevel
AND
AND
Treatment
Effectand Cost
Level2
Trade-Off
Parameters
AND
Level3
Level4
AND
AND
Treatment
Effectand Cost
Level2
Trade-Off
Parameters
AND
Level3
Level4
Security Solution
Fitness Score
Risk Level
Level3
Level4
StaticSecurity
Level
“Current”
Security Level
Level1
Solution
TreatmentLevel
AND
AND
Treatment
Effectand Cost
Level2
Trade-Off
Parameters
AND
Level3
Level4
AND
AND
Treatment
Effectand Cost
Level2
Trade-Off
Parameters
AND
Level3
Level4
Security Solution
Fitness Score
Risk Level
14
TOP Sub Net
15
Risk Level (RL) Sub Net
16
Treatment Level Sub Net
17
This is all good but…
…where does the information
(data/numbers) come from?
…and how to combine them?
18
Information Sources
•Two main categories of information sources
–Empirical, historical, “objective”or directly observableand
subjective
•Directly observable information sources
–Information that represent a direct observation of the world or a
phenomenon and which are relatively close in time (this includes
information from simulation of the real world, such as experiments)
•Subjective information sources
–Direct observation done a while back in time, a direct observation of
a related phenomenon and information given by a third party
(expert)
19
Directly Observable Information
Sources
•Public available prior experience (repository)
•Company confidential prior experience (repository)
•Domain knowledge
•Experiments
•Other empirical information
•Recommendation (best practices)
•Standards
•Real-time information sources
–Honeypots
–IDS
–Log-files
20
Subjective Information Sources
•Expert judgments
•Expert judgments on prior experience from similar
systems
21
TBIAS Overview
A
Trust relationship
between
information sources
Trust Context
purposeassumptions
Apply B on A
Aggregate
information using
TBISP
weights
B
Trust relationship
between
decision maker and
information sources
Trust-based IS performance weights
Step 1
Step 2Step 3
Step 4
Step 5
A
Trust relationship
purposeassumptions
B
Trust relationship
between
decision maker and
information sources
Step 1
Step 2Step 3
Step 4
Step 5
Trust-based performance
weighting schema
Trust-based Information aggregation
A
Trust relationship
between
information sources
Trust Context
purposeassumptions
Apply B on A
Aggregate
information using
TBISP
weights
B
Trust relationship
between
decision maker and
information sources
Trust-based IS performance weights
Step 1
Step 2Step 3
Step 4
Step 5
A
Trust relationship
purposeassumptions
B
Trust relationship
between
decision maker and
information sources
Step 1
Step 2Step 3
Step 4
Step 5
Trust-based performance
weighting schema
Trust-based Information aggregation
22
Evaluation Plan
•Phase 1: Example run-throughs and preliminary
discussion of the validity, feasibility and applicability
of the approach –This work
•Phase 2: Case scenarios and evaluation of the
validity, feasibility and applicability of the approach –
Current work
•Phase 3: Industrial field trials and evaluation of the
validity, feasibility and applicability of the approach –
Future work
23
Concluding Remarks
•The AORDD Security Solution Trade-Off Analysis
helps to find the best fitted security solution to a
particular security risk (or set)
•The Trust-Based Information Aggregation Schema is a
information source ability weighting aggregation
approach that support the Trade-Off Tool
•This work has produced a preliminary version
(prototype) of both
24
Future Work
•Investigate the relationship between the variables in the trade-
off tool
–Currently done using expert judgment and industrial experience
•Combine the BBN topology for the trade-off tool and TBIAS
–Currently the transfer of information between them is a manual task
•Real Option Analysis
•Evaluate using case scenarios
•Prepare the field trials
–Ongoing work
•Evaluate using field trials